1 # See README.md for usage information
4 $manage_docroot = true,
5 $virtual_docroot = false,
10 $docroot_owner = 'root',
11 $docroot_group = $::apache::params::root_group,
12 $docroot_mode = undef,
15 $ssl_cert = $::apache::default_ssl_cert,
16 $ssl_key = $::apache::default_ssl_key,
17 $ssl_chain = $::apache::default_ssl_chain,
18 $ssl_ca = $::apache::default_ssl_ca,
19 $ssl_crl_path = $::apache::default_ssl_crl_path,
20 $ssl_crl = $::apache::default_ssl_crl,
21 $ssl_crl_check = $::apache::default_ssl_crl_check,
22 $ssl_certs_dir = $::apache::params::ssl_certs_dir,
23 $ssl_protocol = undef,
25 $ssl_honorcipherorder = undef,
26 $ssl_verify_client = undef,
27 $ssl_verify_depth = undef,
29 $ssl_proxyengine = false,
31 $default_vhost = false,
34 $options = ['Indexes','FollowSymLinks','MultiViews'],
38 $logroot = $::apache::logroot,
39 $logroot_ensure = 'directory',
40 $logroot_mode = undef,
43 $access_log_file = false,
44 $access_log_pipe = false,
45 $access_log_syslog = false,
46 $access_log_format = false,
47 $access_log_env_var = false,
52 $error_log_file = undef,
53 $error_log_pipe = undef,
54 $error_log_syslog = undef,
55 $error_documents = [],
56 $fallbackresource = undef,
60 $proxy_dest_match = undef,
61 $proxy_dest_reverse_match = undef,
63 $proxy_pass_match = undef,
64 $suphp_addhandler = $::apache::params::suphp_addhandler,
65 $suphp_engine = $::apache::params::suphp_engine,
66 $suphp_configpath = $::apache::params::suphp_configpath,
69 $php_admin_flags = {},
70 $php_admin_values = {},
72 $no_proxy_uris_match = [],
73 $proxy_preserve_host = false,
74 $proxy_error_override = false,
75 $redirect_source = '/',
76 $redirect_dest = undef,
77 $redirect_status = undef,
78 $redirectmatch_status = undef,
79 $redirectmatch_regexp = undef,
80 $redirectmatch_dest = undef,
81 $rack_base_uris = undef,
83 $request_headers = undef,
85 $rewrite_base = undef,
86 $rewrite_rule = undef,
87 $rewrite_cond = undef,
92 $wsgi_application_group = undef,
93 $wsgi_daemon_process = undef,
94 $wsgi_daemon_process_options = undef,
95 $wsgi_import_script = undef,
96 $wsgi_import_script_options = undef,
97 $wsgi_process_group = undef,
98 $wsgi_script_aliases = undef,
99 $wsgi_pass_authorization = undef,
100 $wsgi_chunked_request = undef,
101 $custom_fragment = undef,
104 $fastcgi_server = undef,
105 $fastcgi_socket = undef,
106 $fastcgi_dir = undef,
107 $additional_includes = [],
108 $apache_version = $::apache::apache_version,
109 $allow_encoded_slashes = undef,
110 $suexec_user_group = undef,
111 $passenger_app_root = undef,
112 $passenger_app_env = undef,
113 $passenger_ruby = undef,
114 $passenger_min_instances = undef,
115 $passenger_start_timeout = undef,
116 $passenger_pre_start = undef,
117 $add_default_charset = undef,
118 $modsec_disable_vhost = undef,
119 $modsec_disable_ids = undef,
120 $modsec_disable_ips = undef,
121 $modsec_body_limit = undef,
123 # The base class must be included first because it is used by parameter defaults
124 if ! defined(Class['apache']) {
125 fail('You must include the apache base class before using any apache defined resources')
128 $apache_name = $::apache::apache_name
130 validate_re($ensure, '^(present|absent)$',
131 "${ensure} is not supported for ensure.
132 Allowed values are 'present' and 'absent'.")
133 validate_re($suphp_engine, '^(on|off)$',
134 "${suphp_engine} is not supported for suphp_engine.
135 Allowed values are 'on' and 'off'.")
136 validate_bool($ip_based)
137 validate_bool($access_log)
138 validate_bool($error_log)
140 validate_bool($default_vhost)
141 validate_bool($ssl_proxyengine)
143 validate_array($rewrites)
144 validate_hash($rewrites[0])
147 # Input validation begins
149 if $suexec_user_group {
150 validate_re($suexec_user_group, '^\w+ \w+$',
151 "${suexec_user_group} is not supported for suexec_user_group. Must be 'user group'.")
154 if $wsgi_pass_authorization {
155 validate_re(downcase($wsgi_pass_authorization), '^(on|off)$',
156 "${wsgi_pass_authorization} is not supported for wsgi_pass_authorization.
157 Allowed values are 'on' and 'off'.")
160 # Deprecated backwards-compatibility
162 warning('Apache::Vhost: parameter rewrite_base is deprecated in favor of rewrites')
165 warning('Apache::Vhost: parameter rewrite_rule is deprecated in favor of rewrites')
168 warning('Apache::Vhost parameter rewrite_cond is deprecated in favor of rewrites')
171 if $wsgi_script_aliases {
172 validate_hash($wsgi_script_aliases)
174 if $wsgi_daemon_process_options {
175 validate_hash($wsgi_daemon_process_options)
177 if $wsgi_import_script_options {
178 validate_hash($wsgi_import_script_options)
184 validate_re($logroot_ensure, '^(directory|absent)$',
185 "${logroot_ensure} is not supported for logroot_ensure.
186 Allowed values are 'directory' and 'absent'.")
189 validate_apache_log_level($log_level)
192 if $access_log_file and $access_log_pipe {
193 fail("Apache::Vhost[${name}]: 'access_log_file' and 'access_log_pipe' cannot be defined at the same time")
196 if $error_log_file and $error_log_pipe {
197 fail("Apache::Vhost[${name}]: 'error_log_file' and 'error_log_pipe' cannot be defined at the same time")
200 if $fallbackresource {
201 validate_re($fallbackresource, '^/|disabled', 'Please make sure fallbackresource starts with a / (or is "disabled")')
204 if $custom_fragment {
205 validate_string($custom_fragment)
208 if $allow_encoded_slashes {
209 validate_re($allow_encoded_slashes, '(^on$|^off$|^nodecode$)', "${allow_encoded_slashes} is not permitted for allow_encoded_slashes. Allowed values are 'on', 'off' or 'nodecode'.")
212 # Input validation ends
214 if $ssl and $ensure == 'present' {
215 include ::apache::mod::ssl
216 # Required for the AddType lines.
217 include ::apache::mod::mime
220 if $virtual_docroot {
221 include ::apache::mod::vhost_alias
224 if $wsgi_daemon_process {
225 include ::apache::mod::wsgi
228 if $suexec_user_group {
229 include ::apache::mod::suexec
232 if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start {
233 include ::apache::mod::passenger
236 # Configure the defaultness of a vhost
238 $priority_real = "${priority}-"
239 } elsif $priority == false {
241 } elsif $default_vhost {
242 $priority_real = '10-'
244 $priority_real = '25-'
247 ## Apache include does not always work with spaces in the filename
248 $filename = regsubst($name, ' ', '_', 'G')
250 # This ensures that the docroot exists
251 # But enables it to be specified across multiple vhost resources
252 if ! defined(File[$docroot]) and $manage_docroot {
255 owner => $docroot_owner,
256 group => $docroot_group,
257 mode => $docroot_mode,
258 require => Package['httpd'],
259 before => Concat["${priority_real}${filename}.conf"],
263 # Same as above, but for logroot
264 if ! defined(File[$logroot]) {
266 ensure => $logroot_ensure,
267 mode => $logroot_mode,
268 require => Package['httpd'],
269 before => Concat["${priority_real}${filename}.conf"],
274 # Is apache::mod::passenger enabled (or apache::mod['passenger'])
275 $passenger_enabled = defined(Apache::Mod['passenger'])
277 # Is apache::mod::shib enabled (or apache::mod['shib2'])
278 $shibboleth_enabled = defined(Apache::Mod['shib2'])
280 if $access_log and !$access_logs {
281 if $access_log_file {
282 $_logs_dest = "${logroot}/${access_log_file}"
283 } elsif $access_log_pipe {
284 $_logs_dest = $access_log_pipe
285 } elsif $access_log_syslog {
286 $_logs_dest = $access_log_syslog
291 'file' => $access_log_file,
292 'pipe' => $access_log_pipe,
293 'syslog' => $access_log_syslog,
294 'format' => $access_log_format,
295 'env' => $access_log_env_var
297 } elsif $access_logs {
298 if !is_array($access_logs) {
299 fail("Apache::Vhost[${name}]: access_logs must be an array of hashes")
301 $_access_logs = $access_logs
305 $error_log_destination = "${logroot}/${error_log_file}"
306 } elsif $error_log_pipe {
307 $error_log_destination = $error_log_pipe
308 } elsif $error_log_syslog {
309 $error_log_destination = $error_log_syslog
312 $error_log_destination = "${logroot}/${name}_error_ssl.log"
314 $error_log_destination = "${logroot}/${name}_error.log"
320 $listen_addr_port = "${ip}:${port}"
321 $nvh_addr_port = "${ip}:${port}"
323 $listen_addr_port = undef
325 if ! $servername and ! $ip_based {
326 fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters for name-based vhosts")
331 $listen_addr_port = $port
332 $nvh_addr_port = "${vhost_name}:${port}"
334 $listen_addr_port = undef
335 $nvh_addr_port = $name
337 fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters, and/or 'servername' parameter")
342 if $ip and defined(Apache::Listen["${port}"]) {
343 fail("Apache::Vhost[${name}]: Mixing IP and non-IP Listen directives is not possible; check the add_listen parameter of the apache::vhost define to disable this")
345 if ! defined(Apache::Listen["${listen_addr_port}"]) and $listen_addr_port and $ensure == 'present' {
346 ::apache::listen { "${listen_addr_port}": }
350 if ! defined(Apache::Namevirtualhost[$nvh_addr_port]) and $ensure == 'present' and (versioncmp($apache_version, '2.4') < 0) {
351 ::apache::namevirtualhost { $nvh_addr_port: }
355 # Load mod_rewrite if needed and not yet loaded
356 if $rewrites or $rewrite_cond {
357 if ! defined(Class['apache::mod::rewrite']) {
358 include ::apache::mod::rewrite
362 # Load mod_alias if needed and not yet loaded
363 if ($scriptalias or $scriptaliases != []) or ($redirect_source and $redirect_dest) {
364 if ! defined(Class['apache::mod::alias']) and ($ensure == 'present') {
365 include ::apache::mod::alias
369 # Load mod_proxy if needed and not yet loaded
370 if ($proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match) {
371 if ! defined(Class['apache::mod::proxy']) {
372 include ::apache::mod::proxy
374 if ! defined(Class['apache::mod::proxy_http']) {
375 include ::apache::mod::proxy_http
379 # Load mod_passenger if needed and not yet loaded
381 if ! defined(Class['apache::mod::passenger']) {
382 include ::apache::mod::passenger
386 # Load mod_fastci if needed and not yet loaded
387 if $fastcgi_server and $fastcgi_socket {
388 if ! defined(Class['apache::mod::fastcgi']) {
389 include ::apache::mod::fastcgi
393 # Check if mod_headers is required to process $headers/$request_headers
394 if $headers or $request_headers {
395 if ! defined(Class['apache::mod::headers']) {
396 include ::apache::mod::headers
400 if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) {
401 if ! defined(Class['apache::mod::setenvif']) {
402 include ::apache::mod::setenvif
406 ## Create a default directory list if none defined
408 if !is_hash($directories) and !(is_array($directories) and is_hash($directories[0])) {
409 fail("Apache::Vhost[${name}]: 'directories' must be either a Hash or an Array of Hashes")
411 $_directories = $directories
414 provider => 'directory',
417 allow_override => $override,
418 directoryindex => $directoryindex,
421 if versioncmp($apache_version, '2.4') >= 0 {
422 $_directory_version = {
423 require => 'all granted',
426 $_directory_version = {
427 order => 'allow,deny',
432 $_directories = [ merge($_directory, $_directory_version) ]
435 ## Create a global LocationMatch if locations aren't defined
436 if $modsec_disable_ids {
437 if is_hash($modsec_disable_ids) {
438 $_modsec_disable_ids = $modsec_disable_ids
439 } elsif is_array($modsec_disable_ids) {
440 $_modsec_disable_ids = { '.*' => $modsec_disable_ids }
442 fail("Apache::Vhost[${name}]: 'modsec_disable_ids' must be either a Hash of location/IDs or an Array of IDs")
446 concat { "${priority_real}${filename}.conf":
448 path => "${::apache::vhost_dir}/${priority_real}${filename}.conf",
450 group => $::apache::params::root_group,
453 require => Package['httpd'],
454 notify => Class['apache::service'],
456 if $::apache::vhost_enable_dir {
457 $vhost_enable_dir = $::apache::vhost_enable_dir
458 $vhost_symlink_ensure = $ensure ? {
462 file{ "${priority_real}${filename}.conf symlink":
463 ensure => $vhost_symlink_ensure,
464 path => "${vhost_enable_dir}/${priority_real}${filename}.conf",
465 target => "${::apache::vhost_dir}/${priority_real}${filename}.conf",
467 group => $::apache::params::root_group,
469 require => Concat["${priority_real}${filename}.conf"],
470 notify => Class['apache::service'],
478 concat::fragment { "${name}-apache-header":
479 target => "${priority_real}${filename}.conf",
481 content => template('apache/vhost/_file_header.erb'),
487 concat::fragment { "${name}-docroot":
488 target => "${priority_real}${filename}.conf",
490 content => template('apache/vhost/_docroot.erb'),
495 if $aliases and ! empty($aliases) {
496 concat::fragment { "${name}-aliases":
497 target => "${priority_real}${filename}.conf",
499 content => template('apache/vhost/_aliases.erb'),
506 if $itk and ! empty($itk) {
507 concat::fragment { "${name}-itk":
508 target => "${priority_real}${filename}.conf",
510 content => template('apache/vhost/_itk.erb'),
515 # - $fallbackresource
516 if $fallbackresource {
517 concat::fragment { "${name}-fallbackresource":
518 target => "${priority_real}${filename}.conf",
520 content => template('apache/vhost/_fallbackresource.erb'),
525 # - $allow_encoded_slashes
526 if $allow_encoded_slashes {
527 concat::fragment { "${name}-allow_encoded_slashes":
528 target => "${priority_real}${filename}.conf",
530 content => template('apache/vhost/_allow_encoded_slashes.erb'),
539 # - $shibboleth_enabled
540 if $_directories and ! empty($_directories) {
541 concat::fragment { "${name}-directories":
542 target => "${priority_real}${filename}.conf",
544 content => template('apache/vhost/_directories.erb'),
549 # - $additional_includes
550 if $additional_includes and ! empty($additional_includes) {
551 concat::fragment { "${name}-additional_includes":
552 target => "${priority_real}${filename}.conf",
554 content => template('apache/vhost/_additional_includes.erb'),
561 # - $error_log_destination
563 if $error_log or $log_level {
564 concat::fragment { "${name}-logging":
565 target => "${priority_real}${filename}.conf",
567 content => template('apache/vhost/_logging.erb'),
571 # Template uses no variables
572 concat::fragment { "${name}-serversignature":
573 target => "${priority_real}${filename}.conf",
575 content => template('apache/vhost/_serversignature.erb'),
580 # - $_access_log_env_var
581 # - $access_log_destination
582 # - $_access_log_format
583 # - $_access_log_env_var
585 if $access_log or $access_logs {
586 concat::fragment { "${name}-access_log":
587 target => "${priority_real}${filename}.conf",
589 content => template('apache/vhost/_access_log.erb'),
596 concat::fragment { "${name}-action":
597 target => "${priority_real}${filename}.conf",
599 content => template('apache/vhost/_action.erb'),
606 if $block and ! empty($block) {
607 concat::fragment { "${name}-block":
608 target => "${priority_real}${filename}.conf",
610 content => template('apache/vhost/_block.erb'),
616 if $error_documents and ! empty($error_documents) {
617 concat::fragment { "${name}-error_document":
618 target => "${priority_real}${filename}.conf",
620 content => template('apache/vhost/_error_document.erb'),
627 # - $proxy_pass_match
628 # - $proxy_preserve_host
630 if $proxy_dest or $proxy_pass or $proxy_pass_match {
631 concat::fragment { "${name}-proxy":
632 target => "${priority_real}${filename}.conf",
634 content => template('apache/vhost/_proxy.erb'),
641 concat::fragment { "${name}-rack":
642 target => "${priority_real}${filename}.conf",
644 content => template('apache/vhost/_rack.erb'),
653 # - $redirect_source_a
654 # - $redirect_status_a
655 # - $redirectmatch_status
656 # - $redirectmatch_regexp
657 # - $redirectmatch_dest
658 # - $redirectmatch_status_a
659 # - $redirectmatch_regexp_a
660 # - $redirectmatch_dest
661 if ($redirect_source and $redirect_dest) or ($redirectmatch_status and $redirectmatch_regexp and $redirectmatch_dest) {
662 concat::fragment { "${name}-redirect":
663 target => "${priority_real}${filename}.conf",
665 content => template('apache/vhost/_redirect.erb'),
675 if $rewrites or $rewrite_rule {
676 concat::fragment { "${name}-rewrite":
677 target => "${priority_real}${filename}.conf",
679 content => template('apache/vhost/_rewrite.erb'),
686 if ( $scriptalias or $scriptaliases != [] ) {
687 concat::fragment { "${name}-scriptalias":
688 target => "${priority_real}${filename}.conf",
690 content => template('apache/vhost/_scriptalias.erb'),
696 if $serveraliases and ! empty($serveraliases) {
697 concat::fragment { "${name}-serveralias":
698 target => "${priority_real}${filename}.conf",
700 content => template('apache/vhost/_serveralias.erb'),
707 if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) {
708 concat::fragment { "${name}-setenv":
709 target => "${priority_real}${filename}.conf",
711 content => template('apache/vhost/_setenv.erb'),
728 # - $ssl_honorcipherorder
729 # - $ssl_verify_client
730 # - $ssl_verify_depth
734 concat::fragment { "${name}-ssl":
735 target => "${priority_real}${filename}.conf",
737 content => template('apache/vhost/_ssl.erb'),
743 # - $suphp_addhandler
744 # - $suphp_configpath
745 if $suphp_engine == 'on' {
746 concat::fragment { "${name}-suphp":
747 target => "${priority_real}${filename}.conf",
749 content => template('apache/vhost/_suphp.erb'),
756 if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) {
757 concat::fragment { "${name}-php":
758 target => "${priority_real}${filename}.conf",
760 content => template('apache/vhost/_php.erb'),
765 # - $php_admin_values
767 if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) {
768 concat::fragment { "${name}-php_admin":
769 target => "${priority_real}${filename}.conf",
771 content => template('apache/vhost/_php_admin.erb'),
777 if $headers and ! empty($headers) {
778 concat::fragment { "${name}-header":
779 target => "${priority_real}${filename}.conf",
781 content => template('apache/vhost/_header.erb'),
787 if $request_headers and ! empty($request_headers) {
788 concat::fragment { "${name}-requestheader":
789 target => "${priority_real}${filename}.conf",
791 content => template('apache/vhost/_requestheader.erb'),
796 # - $wsgi_application_group
797 # - $wsgi_daemon_process
798 # - $wsgi_daemon_process_options
799 # - $wsgi_import_script
800 # - $wsgi_import_script_options
801 # - $wsgi_process_group
802 # - $wsgi_script_aliases
803 # - $wsgi_pass_authorization
804 if $wsgi_application_group or $wsgi_daemon_process or ($wsgi_import_script and $wsgi_import_script_options) or $wsgi_process_group or ($wsgi_script_aliases and ! empty($wsgi_script_aliases)) or $wsgi_pass_authorization {
805 concat::fragment { "${name}-wsgi":
806 target => "${priority_real}${filename}.conf",
808 content => template('apache/vhost/_wsgi.erb'),
814 if $custom_fragment {
815 concat::fragment { "${name}-custom_fragment":
816 target => "${priority_real}${filename}.conf",
818 content => template('apache/vhost/_custom_fragment.erb'),
827 if $fastcgi_server or $fastcgi_dir {
828 concat::fragment { "${name}-fastcgi":
829 target => "${priority_real}${filename}.conf",
831 content => template('apache/vhost/_fastcgi.erb'),
836 # - $suexec_user_group
837 if $suexec_user_group {
838 concat::fragment { "${name}-suexec":
839 target => "${priority_real}${filename}.conf",
841 content => template('apache/vhost/_suexec.erb'),
846 # - $passenger_app_root
847 # - $passenger_app_env
849 # - $passenger_min_instances
850 # - $passenger_start_timeout
851 # - $passenger_pre_start
852 if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start {
853 concat::fragment { "${name}-passenger":
854 target => "${priority_real}${filename}.conf",
856 content => template('apache/vhost/_passenger.erb'),
861 # - $add_default_charset
862 if $add_default_charset {
863 concat::fragment { "${name}-charsets":
864 target => "${priority_real}${filename}.conf",
866 content => template('apache/vhost/_charsets.erb'),
871 # - $modsec_disable_vhost
872 # - $modsec_disable_ids
873 # - $modsec_disable_ips
874 # - $modsec_body_limit
875 if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips {
876 concat::fragment { "${name}-security":
877 target => "${priority_real}${filename}.conf",
879 content => template('apache/vhost/_security.erb')
883 # Template uses no variables
884 concat::fragment { "${name}-file_footer":
885 target => "${priority_real}${filename}.conf",
887 content => template('apache/vhost/_file_footer.erb'),